Can authenticate if Forefront TMG requests credentials. No credentials are supplied if anonymous access is enabled.

Recommendations

Use for non-Windows clients. Use if support for non-TPC or UDP protocols (such as ICMP or GRE) is required. Configure published non-Web servers as SecureNAT clients if you want to forward the original source IP address of the client to the published server.

Use when support for secondary protocols is required. Use for strong access controls. Records user names in logs.

Use for user-based Web access through a proxy and for chaining Web requests to upstream proxies. Good performance because Web requests are forwarded directly to Web proxy filter.

The way in which Forefront TMG handles a request from a client in its internal networks depends on how the client computer is configured, and the type of request being made. For example:

On a Firewall client computer (with Firewall Client software installed and enabled), requests generated by applications that use Winsock application programming interfaces (APIs) are intercepted by the Firewall Client software. If the address requested is local, the connection is made directly. Otherwise, it is sent to the Firewall service on the Forefront TMG computer.

On a Firewall client computer or a SecureNAT client computer that does not have Web Proxy client settings configured, Web requests (HTTP, HTTPS, or FTP downloads) are passed transparently to the Web proxy listener for the network on which the request is received. This is known as transparent network address translation (NAT).

On any computer that is configured as a Web Proxy client, Web requests are sent directly to the Web proxy listener.